The ThreatFox: DCRat IOCs rule detects potential command and control activity associated with the DCRat malware, leveraging known indicators to identify compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or maintaining long-term access within the network.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]200[.]176[.]105:55476 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 162[.]216[.]241[.]206:7997 | botnet_cc | 2026-06-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["5.200.176.105", "162.216.241.206"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.200.176.105", "162.216.241.206"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with command lines containing clean, cleanup, or temp.
Scenario: Log Collection and Analysis Tool Execution
Description: A security tool like Splunk or ELK Stack running a script to collect and analyze log files, which may involve IOCs that match the DCRat pattern.
Filter/Exclusion: Exclude processes with parent process names like splunkd.exe, java.exe (for ELK), or command lines containing log, analyze, or collect.
Scenario: Admin Task for Patch Management
Description: An administrator using PowerShell or PsExec to deploy patches or updates across the network, which may involve IOCs that resemble DCRat behavior.
Filter/Exclusion: Exclude processes with command lines containing patch, update, or install, or where the parent process is a known admin tool like PowerShell.exe or PsExec.exe.
Scenario: Database Backup Job Execution
Description: A scheduled job using SQL Server Agent or mysqldump to perform database backups, which may involve IOCs that match the DCRat detection logic.
Filter/Exclusion: Exclude processes with command lines containing backup, dump, or restore, or where the parent process is related to a database service like sqlservr.exe or mysqld.exe.
Scenario: Antivirus or EDR Tool Scanning
Description: A legitimate endpoint protection tool like Microsoft Defender or CrowdStrike performing a full system